Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

I know to get rid of CSRF attack we have use the CSRF tokens, but not sure about the internal working of this. What I mean is where does these tokens get created and how the transfermatrion happens from client to server and when these are validated like that.

Can some one explain how the CSRF token implemenation works with pictorial represenation.

1. Server generates one time random token (with an expiry time of around >= 20 mins)
2. Client serves token inside a hidden form input field.
3. When the submission is made the client token is checked against the server token and the expiry time.
4. The server then destroys the server side token if the request is valid or not and generates a new one.

There are a couple of pitfalls like a empty token request, the client serves a blank token and the server doesn't have a valid token generated if the attacker makes a request directly to the target operation without first making a request to generate a token. The expiry is required to stop token reuse by an attacker, also the token should be user specific to stop an attacker token being used by a user. You also have to make sure that the site cannot be framed since you can bypass any token see this attack [www.thespanner.co.uk]